RE

.

Finally got root! Thanks @v1p3r0u5 fun box! PM me for help

Finally rooted this. Really fun box. This is a box I’ll go back to and explore further.

User and root both take a similar path (at least the way I did it), and almost everything one needs is on port 80. Feel free to PM for hints.

Hi,
I’m trying to get initial access to this box.
I’ve enumerated the box, identifyied the two ports, reading stuff and taking some notes on file extensions o**, obf and some invocation restrictions that may be in place according the ya rs that may be in place.
I can put things on the malware share and I see them disappear after a few seconds so this help me understand things seem to make sense according what’s on the blog.
I’m trying to embed different kind of commands, using obf and without using it, doing some pocs locally with a win10 instance and defender on. While these pocs are running locally I don’t get any signal from RE.
I’ve also changed some metadata from the o
* file gen by msf, so it makes it more save at the eyes from possible y*** rules scanning those xml.
I’m pretty sure I’m on the right path but not sure how to proceed to get that rce.
I’ve tried commands to directly power me with a rev shell, simple things such as trying to catch ntlm hashes with responder, or just trying to get hit by an http request using different available tools on windows.
May I’ve been doing to much and miss or fail some power direct rev shells on the syntax?
Any hint please?

Got in. As someone already said, try the simplest, anyway, I have learned a lot of interacting programatically with o** files and y*** stuff, in different flavors, hehehe

Is the reblog.htb site supposed to come up with a page?

Hi guys,

can someone pls pm me, need a hint for user.

rooted. A great opportunity for learning Windows priv esc. Thank you @naveen1729 for your advice.
As for the last step, I took an impersonation way by using in******o.

Rooted - thank you to @dlh61 @denstr & @naveen1729 for the nudges onwards.

Type your comment> @johnnyz187 said:

Is it just me or is there something wrong with the exploit?? I understand what I have to upload and my script to the .o** is correct, but every time I execute it, I get nothing?? Is there another attack path or is this just a rabbit hole???

Hi, I can someone give me a nudge of initial foothold? Read everything, have a basic idea what needs to be done, but do not find the place which authentication is used for the upload path(no creds found, read only). So stuck at step 1 basically, getting initial access for abusing that :smile:

Type your comment> @stanl3yz3ro said:

Hi guys,

can someone pls pm me, need a hint for user.

Read the good information on the blog.

can I get some advice on modifying the .o file?

First question, what kind of enumeration one needs to perform to get to blog?
Second: I know the basic idea for initial foothold, so should i manipulate the strings inside msf rev shell to bypass y*** r****? Is this the right direction?

Got User, but I have not a full shell … Need some advice if behavior of some commands is normal… Free to PM me :slight_smile:

Is anyone else having trouble running enum scripts on the machine? I keep getting the same Service Control Manager error. I could probably do without it but I’m curious as to a workaround, since this seems reasonably likely to come up on other boxes.

EDIT: Nevermind, it was just a problem with the shell I was using :smile:

Got User. Now on the way to Root. The gh**ra thing is a rabbit hole?

EDIT: Rooted. Yeap, it was a rabbit hole. Cool box overall, I really enjoyed the root part. Tip: Do NOT eat rotten potatoes in 2019. Keep it simple and stick to the basics.

Finally rooted. This was by far the most difficult box to date that I have experienced. Learned many different methods and concepts. Like to give thanks and respect to @d4rkpayl0ad, @v1p3r0u5 and @naveen1729 for help and guidance on this monster.

GG :slight_smile: I’m sucks on root part …

Type your comment